In April 2024, a critical vulnerability surfaced in the widely-used WordPress plugin User Registration – Custom Registration Form, Login Form, and User Profile (up to version 3.1.5). Known as CVE-2024-3295, this flaw lets unauthenticated users (in simple English: anyone, even without logging in) erase any file in your site’s Media Library. As this plugin powers over 60,000 websites, the impact is huge for anyone using WordPress to manage memberships or user profiles.
Below, I break down exactly what went wrong, how the exploit works, plus code samples, references, and what you should do right away.
How Does the Vulnerability Work?
The issue is in a function called profile_pic_remove. Normally, only logged-in users or admins should be able to delete their own profile pictures. But in this code, no capability check or authentication step stops just anyone from calling this function. That means an attacker can craft a simple request to wipe any image on your site.
The function receives a media attachment ID, and calls WordPress to delete the file.
If an attacker knows—or guesses—any attachment ID, they can delete those images, including your logos, banners, and even product images… all without ever logging in!
Original Vulnerability Disclosure
- Official plugin listing: WordPress.org Plugin Page
- Original vulnerability details: WPScan Advisory
- Patchstack report
Real-World Exploit Example (With Code)
Let’s see how this happens. If your site is at https://example.com, and a media image on your site has the ID 123, an attacker just needs to do a POST request like this:
Curl Command Example
curl -X POST -d 'attachment_id=123' https://example.com/wp-admin/admin-ajax.php?action=profile_pic_remove
attachment_id=123 is the ID of the file that will be wiped out.
That’s it. This can be scripted, looped over possible IDs, or even launched from a browser’s JavaScript console.
Here’s an excerpt based on the plugin’s source (simplified)
public function profile_pic_remove() {
$attachment_id = $_POST['attachment_id'];
if ( $attachment_id ) {
wp_delete_attachment( $attachment_id, true );
wp_send_json_success();
} else {
wp_send_json_error();
}
}
// No check like: current_user_can('edit_user', get_current_user_id())
add_action( 'wp_ajax_nopriv_profile_pic_remove', array( $this, 'profile_pic_remove' ) );
add_action( 'wp_ajax_profile_pic_remove', array( $this, 'profile_pic_remove' ) );
The key mistake:
Both the logged-in and non-logged-in (‘nopriv’) actions call the same function, with no checks for who is making the request.
Who Is At Risk?
If:
Your site is open to the internet…
…You are at risk. Thousands of sites are, evidenced by easy proof-of-concept code.
Cause you to lose SEO and business
In short: If you store any uploads, they’re all exposed.
How to Fix
Update the Plugin:
The plugin was patched after version 3.1.5. Update immediately to the latest version from WordPress.org.
How Should the Code Have Looked?
A safe fix: check that the user is logged in and has permission before deleting files.
public function profile_pic_remove() {
if ( ! is_user_logged_in() || ! current_user_can( 'edit_user', get_current_user_id() ) ) {
wp_send_json_error( 'Not authorized!' );
die();
}
$attachment_id = intval( $_POST['attachment_id'] );
// Additional check: ensure this is the user's own file
if ( $attachment_id ) {
wp_delete_attachment( $attachment_id, true );
wp_send_json_success();
} else {
wp_send_json_error();
}
}
Conclusion
This bug shows that even trusted, high-download plugins are not immune from simple mistakes with dangerous consequences. Always check who can call sensitive functions—especially those that delete data!
If you run a WordPress site, patch and update now. If you’re building plugins, always do proper capability checks!
References
- WordPress Plugin Vulnerability Report - Patchstack
- WPScan Advisory
- Official plugin page
Stay safe, keep your plugins updated, and share this post to help warn others!
Timeline
Published on: 05/02/2024 17:15:24 UTC
Last modified on: 05/02/2024 18:00:37 UTC